From 00720f0e7f288d29681d265c23b22bb0f0f4e5b4 Mon Sep 17 00:00:00 2001 From: Arnd Bergmann Date: Wed, 8 Apr 2020 21:04:31 +0200 Subject: [PATCH 1/6] smack: avoid unused 'sip' variable warning The mix of IS_ENABLED() and #ifdef checks has left a combination that causes a warning about an unused variable: security/smack/smack_lsm.c: In function 'smack_socket_connect': security/smack/smack_lsm.c:2838:24: error: unused variable 'sip' [-Werror=unused-variable] 2838 | struct sockaddr_in6 *sip = (struct sockaddr_in6 *)sap; Change the code to use C-style checks consistently so the compiler can handle it correctly. Fixes: 87fbfffcc89b ("broken ping to ipv6 linklocal addresses on debian buster") Signed-off-by: Arnd Bergmann Signed-off-by: Casey Schaufler --- security/smack/smack.h | 6 ------ security/smack/smack_lsm.c | 25 ++++++++----------------- 2 files changed, 8 insertions(+), 23 deletions(-) diff --git a/security/smack/smack.h b/security/smack/smack.h index 62529f382942..335d2411abe4 100644 --- a/security/smack/smack.h +++ b/security/smack/smack.h @@ -148,7 +148,6 @@ struct smk_net4addr { struct smack_known *smk_label; /* label */ }; -#if IS_ENABLED(CONFIG_IPV6) /* * An entry in the table identifying IPv6 hosts. */ @@ -159,9 +158,7 @@ struct smk_net6addr { int smk_masks; /* mask size */ struct smack_known *smk_label; /* label */ }; -#endif /* CONFIG_IPV6 */ -#ifdef SMACK_IPV6_PORT_LABELING /* * An entry in the table identifying ports. */ @@ -174,7 +171,6 @@ struct smk_port_label { short smk_sock_type; /* Socket type */ short smk_can_reuse; }; -#endif /* SMACK_IPV6_PORT_LABELING */ struct smack_known_list_elem { struct list_head list; @@ -335,9 +331,7 @@ extern struct smack_known smack_known_web; extern struct mutex smack_known_lock; extern struct list_head smack_known_list; extern struct list_head smk_net4addr_list; -#if IS_ENABLED(CONFIG_IPV6) extern struct list_head smk_net6addr_list; -#endif /* CONFIG_IPV6 */ extern struct mutex smack_onlycap_lock; extern struct list_head smack_onlycap_list; diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 8c61d175e195..14bf2f4aea3b 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -50,10 +50,8 @@ #define SMK_RECEIVING 1 #define SMK_SENDING 2 -#ifdef SMACK_IPV6_PORT_LABELING -DEFINE_MUTEX(smack_ipv6_lock); +static DEFINE_MUTEX(smack_ipv6_lock); static LIST_HEAD(smk_ipv6_port_list); -#endif static struct kmem_cache *smack_inode_cache; struct kmem_cache *smack_rule_cache; int smack_enabled; @@ -2320,7 +2318,6 @@ static struct smack_known *smack_ipv4host_label(struct sockaddr_in *sip) return NULL; } -#if IS_ENABLED(CONFIG_IPV6) /* * smk_ipv6_localhost - Check for local ipv6 host address * @sip: the address @@ -2388,7 +2385,6 @@ static struct smack_known *smack_ipv6host_label(struct sockaddr_in6 *sip) return NULL; } -#endif /* CONFIG_IPV6 */ /** * smack_netlabel - Set the secattr on a socket @@ -2477,7 +2473,6 @@ static int smack_netlabel_send(struct sock *sk, struct sockaddr_in *sap) return smack_netlabel(sk, sk_lbl); } -#if IS_ENABLED(CONFIG_IPV6) /** * smk_ipv6_check - check Smack access * @subject: subject Smack label @@ -2510,7 +2505,6 @@ static int smk_ipv6_check(struct smack_known *subject, rc = smk_bu_note("IPv6 check", subject, object, MAY_WRITE, rc); return rc; } -#endif /* CONFIG_IPV6 */ #ifdef SMACK_IPV6_PORT_LABELING /** @@ -2599,6 +2593,7 @@ static void smk_ipv6_port_label(struct socket *sock, struct sockaddr *address) mutex_unlock(&smack_ipv6_lock); return; } +#endif /** * smk_ipv6_port_check - check Smack port access @@ -2661,7 +2656,6 @@ static int smk_ipv6_port_check(struct sock *sk, struct sockaddr_in6 *address, return smk_ipv6_check(skp, object, address, act); } -#endif /* SMACK_IPV6_PORT_LABELING */ /** * smack_inode_setsecurity - set smack xattrs @@ -2836,24 +2830,21 @@ static int smack_socket_connect(struct socket *sock, struct sockaddr *sap, return 0; if (IS_ENABLED(CONFIG_IPV6) && sap->sa_family == AF_INET6) { struct sockaddr_in6 *sip = (struct sockaddr_in6 *)sap; -#ifdef SMACK_IPV6_SECMARK_LABELING - struct smack_known *rsp; -#endif + struct smack_known *rsp = NULL; if (addrlen < SIN6_LEN_RFC2133) return 0; -#ifdef SMACK_IPV6_SECMARK_LABELING - rsp = smack_ipv6host_label(sip); + if (__is_defined(SMACK_IPV6_SECMARK_LABELING)) + rsp = smack_ipv6host_label(sip); if (rsp != NULL) { struct socket_smack *ssp = sock->sk->sk_security; rc = smk_ipv6_check(ssp->smk_out, rsp, sip, SMK_CONNECTING); } -#endif -#ifdef SMACK_IPV6_PORT_LABELING - rc = smk_ipv6_port_check(sock->sk, sip, SMK_CONNECTING); -#endif + if (__is_defined(SMACK_IPV6_PORT_LABELING)) + rc = smk_ipv6_port_check(sock->sk, sip, SMK_CONNECTING); + return rc; } if (sap->sa_family != AF_INET || addrlen < sizeof(struct sockaddr_in)) From 092c94aed3e1bb0946fc7ba176cc3b4376d9910f Mon Sep 17 00:00:00 2001 From: Maninder Singh Date: Thu, 9 Apr 2020 18:09:58 +0530 Subject: [PATCH 2/6] smack: remove redundant structure variable from header. commit afb1cbe37440 ("LSM: Infrastructure management of the inode security") removed usage of smk_rcu, thus removing it from structure. Signed-off-by: Maninder Singh Signed-off-by: Vaneet Narang Signed-off-by: Casey Schaufler --- security/smack/smack.h | 1 - 1 file changed, 1 deletion(-) diff --git a/security/smack/smack.h b/security/smack/smack.h index 335d2411abe4..09ed7f343be4 100644 --- a/security/smack/smack.h +++ b/security/smack/smack.h @@ -111,7 +111,6 @@ struct inode_smack { struct smack_known *smk_mmap; /* label of the mmap domain */ struct mutex smk_lock; /* initialization lock */ int smk_flags; /* smack inode flags */ - struct rcu_head smk_rcu; /* for freeing inode_smack */ }; struct task_smack { From 84e99e58e8d1e26f04c097f4266e431a33987f36 Mon Sep 17 00:00:00 2001 From: Casey Schaufler Date: Thu, 9 Apr 2020 16:35:28 -0700 Subject: [PATCH 3/6] Smack: slab-out-of-bounds in vsscanf Add barrier to soob. Return -EOVERFLOW if the buffer is exceeded. Suggested-by: Hillf Danton Reported-by: syzbot+bfdd4a2f07be52351350@syzkaller.appspotmail.com Signed-off-by: Casey Schaufler --- security/smack/smackfs.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c index e3e05c04dbd1..c21b656b3263 100644 --- a/security/smack/smackfs.c +++ b/security/smack/smackfs.c @@ -878,11 +878,21 @@ static ssize_t smk_set_cipso(struct file *file, const char __user *buf, else rule += strlen(skp->smk_known) + 1; + if (rule > data + count) { + rc = -EOVERFLOW; + goto out; + } + ret = sscanf(rule, "%d", &maplevel); if (ret != 1 || maplevel > SMACK_CIPSO_MAXLEVEL) goto out; rule += SMK_DIGITLEN; + if (rule > data + count) { + rc = -EOVERFLOW; + goto out; + } + ret = sscanf(rule, "%d", &catlen); if (ret != 1 || catlen > SMACK_CIPSO_MAXCATNUM) goto out; From 921bb1cbb31bb0424b47de52174da20367449c8e Mon Sep 17 00:00:00 2001 From: Casey Schaufler Date: Fri, 24 Apr 2020 15:23:04 -0700 Subject: [PATCH 4/6] Smack:- Remove mutex lock "smk_lock" from inode_smack "smk_lock" mutex is used during inode instantiation in smack_d_instantiate()function. It has been used to avoid simultaneous access on same inode security structure. Since smack related initialization is done only once i.e during inode creation. If the inode has already been instantiated then smack_d_instantiate() function just returns without doing anything. So it means mutex lock is required only during inode creation. But since 2 processes can't create same inodes or files simultaneously. Also linking or some other file operation can't be done simultaneously when the file is getting created since file lookup will fail before dentry inode linkup which is done after smack initialization. So no mutex lock is required in inode_smack structure. It will save memory as well as improve some performance. If 40000 inodes are created in system, it will save 1.5 MB on 32-bit systems & 2.8 MB on 64-bit systems. Signed-off-by: Vishal Goel Signed-off-by: Amit Sahrawat Signed-off-by: Casey Schaufler --- security/smack/smack.h | 1 - security/smack/smack_lsm.c | 8 ++------ 2 files changed, 2 insertions(+), 7 deletions(-) diff --git a/security/smack/smack.h b/security/smack/smack.h index 09ed7f343be4..803b024d3585 100644 --- a/security/smack/smack.h +++ b/security/smack/smack.h @@ -109,7 +109,6 @@ struct inode_smack { struct smack_known *smk_inode; /* label of the fso */ struct smack_known *smk_task; /* label of the task */ struct smack_known *smk_mmap; /* label of the mmap domain */ - struct mutex smk_lock; /* initialization lock */ int smk_flags; /* smack inode flags */ }; diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 14bf2f4aea3b..339356939018 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -314,7 +314,6 @@ static void init_inode_smack(struct inode *inode, struct smack_known *skp) isp->smk_inode = skp; isp->smk_flags = 0; - mutex_init(&isp->smk_lock); } /** @@ -3264,13 +3263,12 @@ static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode) isp = smack_inode(inode); - mutex_lock(&isp->smk_lock); /* * If the inode is already instantiated * take the quick way out */ if (isp->smk_flags & SMK_INODE_INSTANT) - goto unlockandout; + return; sbp = inode->i_sb; sbsp = sbp->s_security; @@ -3321,7 +3319,7 @@ static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode) break; } isp->smk_flags |= SMK_INODE_INSTANT; - goto unlockandout; + return; } /* @@ -3456,8 +3454,6 @@ static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode) isp->smk_flags |= (SMK_INODE_INSTANT | transflag); -unlockandout: - mutex_unlock(&isp->smk_lock); return; } From 4ca75287064be97ac6b67e332e0c082291a515dc Mon Sep 17 00:00:00 2001 From: Casey Schaufler Date: Tue, 28 Apr 2020 15:00:26 -0700 Subject: [PATCH 5/6] Smack:- Remove redundant inode_smack cache The inode_smack cache is no longer used. Remove it. Signed-off-by: Vishal Goel Signed-off-by: Casey Schaufler --- security/smack/smack_lsm.c | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 339356939018..6d4883a43fff 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -52,7 +52,6 @@ static DEFINE_MUTEX(smack_ipv6_lock); static LIST_HEAD(smk_ipv6_port_list); -static struct kmem_cache *smack_inode_cache; struct kmem_cache *smack_rule_cache; int smack_enabled; @@ -4747,15 +4746,9 @@ static __init int smack_init(void) struct cred *cred = (struct cred *) current->cred; struct task_smack *tsp; - smack_inode_cache = KMEM_CACHE(inode_smack, 0); - if (!smack_inode_cache) - return -ENOMEM; - smack_rule_cache = KMEM_CACHE(smack_rule, 0); - if (!smack_rule_cache) { - kmem_cache_destroy(smack_inode_cache); + if (!smack_rule_cache) return -ENOMEM; - } /* * Set the security state for the initial task. From ef26650a201fbbb4ba90b63a82bf7950f2699a82 Mon Sep 17 00:00:00 2001 From: YueHaibing Date: Sat, 9 May 2020 19:20:19 +0800 Subject: [PATCH 6/6] Smack: Remove unused inline function smk_ad_setfield_u_fs_path_mnt commit a269434d2fb4 ("LSM: separate LSM_AUDIT_DATA_DENTRY from LSM_AUDIT_DATA_PATH") left behind this, remove it. Signed-off-by: YueHaibing Signed-off-by: Casey Schaufler --- security/smack/smack.h | 4 ---- 1 file changed, 4 deletions(-) diff --git a/security/smack/smack.h b/security/smack/smack.h index 803b024d3585..e9e817d09785 100644 --- a/security/smack/smack.h +++ b/security/smack/smack.h @@ -497,10 +497,6 @@ static inline void smk_ad_setfield_u_fs_path_dentry(struct smk_audit_info *a, struct dentry *d) { } -static inline void smk_ad_setfield_u_fs_path_mnt(struct smk_audit_info *a, - struct vfsmount *m) -{ -} static inline void smk_ad_setfield_u_fs_inode(struct smk_audit_info *a, struct inode *i) {